Low complexity smart grid security protocol based on elliptic curve cryptography, biometrics and hamming distance

The incorporation of information and communication technologies in the power grids has greatly enhanced efficiency in the management of demand-responses. In addition, smart grids have seen considerable minimization in energy consumption and enhancement in power supply quality. However, the transmission of control and consumption information over open public communication channels renders the transmitted messages vulnerable to numerous security and privacy violations. Although many authentication and key agreement protocols have been developed to counter these issues, the achievement of ideal security and privacy levels at optimal performance still remains an uphill task. In this paper, we leverage on Hamming distance, elliptic curve cryptography, smart cards and biometrics to develop an authentication protocol. It is formally analyzed using the Burrows-Abadi-Needham (BAN) logic, which shows strong mutual authentication and session key negotiation. Its semantic security analysis demonstrates its robustness under all the assumptions of the Dolev-Yao (DY) and Canetti- Krawczyk (CK) threat models. From the performance perspective, it is shown to incur communication, storage and computation complexities compared with other related state of the art protocols.


Introduction
Electrical grids comprise of networks that perform power generation, transmission as well as distribution.In this environment, there is need for communication and coordination with the power control centers so as to control and monitor the grid.To boost power supply quality, incorporate novel communication technologies, enhance efficient energy distribution and minimize energy consumptions, smart grids have been developed [1][2][3][4].In essence, the smart grid (SG) integrates communication and information technologies with power systems so as to enhance reliability, efficiency and sustainable power management.In so doing, SG can potentially alleviate challenges of traditional grid systems such as delayed demand response (DR), blackouts and inefficiency in energy management.In addition, the SG can offer reliable energy distribution, live monitoring of energy consumption, two-way energy flow, better resource allocations, outages prediction and prevention, ideal real-time balance between energy demand and supply, as well as incorporation of micro energy generators such as solar power into the electricity grid.Authors in [5] point out that the SG's advanced automation and distributed intelligence can provide fault detection, recovery as well as DR management.A typical SG comprises of smart meters, renewable energy resources, smart appliances, distribution networks [6], power plants and transmission networks.As discussed in [7], the SG facilitates the integration of cleaner energy technologies with energy management.This helps in enhancing efficiency and reliability in the power network.In this environment, the smart meter (SM) offers fine-grained home or enterprise power consumption information.
In spite of the numerous merits of the smart grids, many issues remain unresolved in these networks.For instance, the SG requires the deployment of numerous components for control and monitoring.This calls for the amalgamation of power resources at various levels, such as operating systems, cloud databases, networking and smart systems [8].The massive flow of information in the distributed SG is exposed to many cyber attacks, which compromise its integrity, confidentiality and availability [9][10][11].These attacks can have adverse effects on the consumers as well as the operation of the grid.As explained in [12], the SM is the point of contact with the SG and is the vulnerable link.Therefore, malicious SM endpoints may instigate attacks such as Sybil, false data injection, identity theft and consumption report altering.In addition, Denial of Service (DoS), data tampering, Man-in-the-Middle (MitM), impersonation, phishing, Sybil and spoofing attacks as being serious challenges in smart grids.On the other hand, eavesdropping, insertion, modification, deletion, forgery [13] and interception of exchanged messages have been noted in [14] to be critical issues that need urgent solution.Similarly, SGs have been noted in [15] to be susceptible to impersonation attacks, MitM, replays and session key disclosure.These attacks may effectively lead to the forwarding of erroneous feedback to the control center, and hence inappropriate decisions may be made [16].It may also cause malicious consumption data to the SM, resulting in consumers being charged for energy that they have not utilized [17].
The transmission of messages between consumers and control centers over insecure wireless communications [18] is the major source of SG vulnerabilities.Since the SG security is firmly tied with the data exchange network, it is critical to enforce Authentication, Authorization and Access Control (AAA) at the device level [19].As explained in [20], proper device identification and authentication can play central responsibility in the elimination of the above attacks.On the other hand, strong identification, management and authentication of SG devices can potentially aid in the prevention of password breaches, identity theft and impersonation [21].Owing to the limited computation and communication capability of the SG components such as smart meters, lightweight and secure authentication and key agreement (AKA) schemes are needed in this environment.Although numerous AKA schemes have been developed for this purpose, they have various shortcomings that impede their effective deployments.
analysis, decision to publish, or preparation of the manuscript.Our authors did not receive any salary from the funders.

A. Motivation
The smart grids are susceptible to numerous attacks such as false command and data injections due to the message exchanges over the open transmission channels.These attacks can cause the utility centers to make erroneous decisions that may have adverse effects such as blackouts.It is also possible for consumer privacy to be compromised such that private information such as economic status, household occupancy and behavioral patterns are discerned.As such, great efforts have been made to develop security solutions in smart grids using techniques such as blockchain, elliptic curve cryptography, public key infrastructure, asymmetric key cryptography, and physical unclonable function.However, most of these approaches incur extensive computation, storage and communication complexities [22].This limits their deployment in resource-limited smart grid components such as smart gas meters.In addition, most of the current security schemes have susceptibility to numerous attacks and fail to provide mutual authentication, anonymity, non-traceability and key freshness.There is therefore need for novel AKA protocols that address these challenges.

B. Research contributions
In this sub-section, the major contributions of the proposed protocol are summarized as follows: 1.A protocol leveraging on elliptic curve, smart cards, Hamming distance and biometrics is developed for privacy and security enhancement in smart grid networks.
2. Random nonces are deployed to uphold the freshness of the exchanged messages.This is shown to be crucial in the prevention of de-synchronization attacks that are common in most of the timestamp-based authentication schemes.
3. Formal security is carried out through the BAN logic to demonstrate that the smart grid network entities successfully validate each other and negotiate session keys for traffic encryption.
4. Extensive semantic analysis is executed, which shows that our protocol is robust under all the assumptions of the Canetti-Krawczyk and Dolev-Yao threat models.

5.
Comparative performance evaluation is effected, which shows that our protocol incurs lower computation, storage and communication complexities compared with other related schemes.

C. Paper organization
The rest of this paper is organized structures as follows: Section 2 discusses the related work, while Section 3 details the system model.Conversely, Section 4 presents the proposed protocol while Section 5 details its security analysis.This is followed by the performance analysis in Section 6, while Section 7 concludes the paper and gives future research directions.

Related work
Security and privacy issues in smart grids have attracted a lot of attention and research work from the industry and academia.As such, numerous AKA schemes have been proposed to address these challenges [23,24].For instance, a pairing based anonymous scheme is developed in [25].However, this scheme is susceptible to ephemeral secret leakage and impersonation attacks [26].Based on elliptic curve cryptography (ECC), a self-certified scheme is introduced in [27] for key distribution between the SM and control center.However, this technique is vulnerable to DoS attacks and cannot preserve session key security [28].Similarly, the authentication approach in [29] is susceptible to session key disclosure and impersonation attacks [30].To address the problems in [29], a provably secure AKA scheme is developed in [30].Another important technology that can be used to offer energy management, reliability, privacy and security in distributed smart grid environment is the blockchain [31][32][33].As such, a blockchain-based security protocol is presented in [15] to offer response management in smart grids.This approach is demonstrated to achieve mutual authentication, key agreement, resist various attacks and offer demand response integrity.However, the blockchain incurs heavy computation and storage overheads [34].These challenges can be addressed by the scheme in [35].Even though the authentication protocol in [35] offers efficient data aggregation, it is defenseless against MitM attacks due to lack of mutual authentication procedures.To protect against outsider and insider threats, an authorization and authentication scheme is developed in [36].Alternatively, a protocol based on identities is introduced in [37] to boost the smart grid security levels.However, the protocol in [37] cannot offer anonymity and untraceability.The authors in [38] demonstrate that this scheme is susceptible to numerous attacks, and hence they introduce a novel lightweight protocol to overcome these security issues.Similarly, the key management protocol in [39] guarantees anonymity of the communicating entities.In addition, it has lower computation costs when compared with the scheme developed in [29].However, the protocol in [39] is never evaluated against attacks such as privileged insider, known session-specific temporary information (KSSTI), spoofing and de-synchronization.
The Physical Unclonable Function (PUF) presents another valuable technology for providing high security levels at relatively low costs.As such, PUF-based protocols have been presented in [40][41][42] for the smart grids.The scheme in [41] does not necessitate the maintenance of secret keys for message exchanges with the aggregator.However, security schemes based on PUF technology have stability challenges due to the stochastic nature of PUF outputs.Conversely, an authentication scheme based on temporary credentials is introduced in [43] to secure the smart grid demand response.However, this protocol can support only one smart meter and hence has scalability issues.In addition, attackers can impersonate the Utility Center (UC) since it lacks initial verification on the UC side [44].This setback can be addressed by the self-sovereign verification protocol in [7] as well as the anonymous authentication protocol in [45].Although the protocol in [7] protects against masquerading and identity theft, the scheme in [45] is susceptible to DoS attacks [28].To provide mutual authentication in smart grids, authors in [46] have introduced a pair-wise key generation scheme.However, this approach cannot uphold anonymity and confidentiality [28].This problem is addressed by the password-based anonymous key agreement protocol in [47], which provides strong mutual authentication, confidentiality, anonymity, perfect forward key secrecy and non-traceability.Unfortunately, this scheme has some design flaws regarding its two points multiplication over the elliptic curve [48].In addition, it cannot uphold session key security.Further, it is shown to be vulnerable to passive and active attacks which limit its applicability [40].As such, an improved AKA protocol has been developed in [48].Although this scheme offers mutual authentication and session key agreement, it is never evaluated against any attack vectors.In addition, it incorporates timestamps during mutual authentication and hence is vulnerable to de-synchronization attacks.
To boost the security in some of the two-factor authentication protocols discussed above, ECC-based AKA techniques have been introduced in [27,28,[47][48][49][50][51][52] for industrial smart grids.However, the deployed ECC requires high communication and computation costs [14].On the other hand, a masked symmetric key-based protocol is developed in [53].However, attacks such as privileged insider, masquerading and replay are not considered in this scheme.Similarly, a symmetric key and message authentication code-based approach is presented in [54].Unfortunately, the timestamp deployed in this protocol can potentially lead to clock synchronization problems [55].This challenge is solved by the scheme in [56], even though this technique cannot verify two entities of the smart grid [57].Alternatively, the three-factor user validation scheme developed in [51] is vulnerable to stolen mobile device and impersonation attacks [52].As such, the authors in [52] have introduced an enhanced three-factor AKA protocol to overcome these challenges.Similarly, an AKA scheme for securing demand response is presented in [58].Unfortunately, since this technique is based on the traditional power grid system, it is inefficient and is unable to offer demand response records integrity.Based on the above discussion, it is clear that most of the current schemes for security and privacy protection in the smart grids have numerous challenges that render them unsuitable for deployment in smart grids.In addition, some of the schemes such as the one in [57] require the involvement of third parties during the establishment of secure communication among the smart grid devices.This inadvertently presents a single point of failure and may result in privileged insider attacks when this third turns out to be malicious.On the other hand, most of the Public-Key-Infrastructure (PKI) based schemes such as the ones in [35,59,60], and asymmetric key cryptography based schemes require heavy execution and bandwidth requirements.This is obviously not suitable for smart grid components such as smart gas meters.Although ECC-based techniques such the ones in [61,62] have reduced computation overheads compared with PKI-based schemes, the smart meters still need to carry out computationally extensive operations.Additionally, the scheme in [61] does not consider privacy protection during the AKA procedures [55].On its part, the Diffie-Hellman and digital signature-based scheme in [63] incurs high computation and communication costs during signature generation and verification.On the other hand, anonymous authentication scheme is presented in [64] while efficient security protocols are developed in [65,66].Conversely, multi-factor authentication schemes are presented in [67,68] while a blockchain-based protocol is introduced in [69].However, the protocols in [64][65][66]68] have not been evaluated against attacks such as de-synchronization and KSSTI.Similarly, the scheme in [67] has not been evaluated against attacks such as forgery and privileged insider.On the other hand, the blockchain deployed in [69] renders this scheme inefficient [70].Consequently, the development of novel AKA protocols to address these challenges cannot be overemphasized.
To overcome some of the above challenges, this paper leverages on ECC, Hamming distance and fuzzy extraction to develop a provably secure security scheme.The biometric authentication is facilitated by fuzzy extraction and Hamming distance, while ECC helps in the generation of the random nonces.It is shown that biometric authentication renders our protocol robust against attacks such as privileged insider, guessing and masquerading.On the other hand, the ECC-facilitated random nonces offer untraceability and anonymity.They also help defend against attacks such as de-synchronization, man-in-the-middle (MitM), KSSTI and forgery.These cryptographic primitives are also demonstrated to be lightweight compared to other approaches such as PKI and blockchain.

System model
This section describes some mathematical preliminaries, threat model as well as the security requirements of the proposed scheme.

A. Mathematical preliminaries
The proposed security scheme is based on ECC, Hamming distance and fuzzy extraction.Compared with other public-key cryptosystems such as Rivest, Shamir and Adleman (RSA), ECC provides equivalent security level but with shorter key sizes.This is beneficial to resource-limited setting [62] exampled by Internet of Things (IoT) and many smart grid edge devices.In this section, we introduce some mathematical formulations for the basic building blocks of the proposed protocol.This includes hamming distance, fuzzy extraction and elliptic curve cryptography formulations as discussed below.
1) Hamming distance.The Hamming distance plays a critical role during the exchange of information over noisy communication media.During this process, the following 3 definitions hold: Definition 1: Suppose that the sender wants to forward message Msg = {0, 1} q .The Hamming distance comes handy in fuzzy commitment procedures that facilitate correct transmission of Msg to the receiver.Here, the error correction code (E CC ) comprises of code-phrases CS � {0, 1} N .At the sender, message Msg i 2 Msg is mapped to an element in CS before being transmitted.
Definition 2: For increased levels of redundancy, N > q.A typical E CC has two functions, for translation and decoding.Let us denote translation function as t and decoding function as d.As such: In this regard, d maps N-bit string s to the nearest code-phase in CS in terms of the Hamming distance (H D ).If this mapping is not successful, then d outputs Ω. Definition 3: Suppose that d has a correction threshold of C T .Then, for some code-phrase RC 2 CS, error term E T 2 {0, 1} N with hamming weight ||E T || � C T , the mapping is executed as follows: 2) Fuzzy extraction.During biometric authentication process, the fuzzy commitment procedures play a crucial role in validating the input template.In this regard, the following definitions are critical.
Definition 5: Provided that W* is fairly close to W, then it can be deployed to decipher commitment F (RC,W) = (ē, ū).In essence, W* need to be exactly equivalent to W. For any successful deciphering, the receiver need to derive Definition 6: To validate the sender, the receiver checks whether ē ≟ h (RC*).Upon successful verification, the deciphering process is treated as being valid.Otherwise, W*is treated as malicious and the sender is flagged as such.
Definition 7: In the field of biometric authentication, the input biometric data Bio i * is not always exactly similar to the biometric template Bio i .This constitutes noise in this data and hence can be deployed in the fuzzy commitment procedures.In essence, Bio i is treated as W and therefore RC can be deciphered using input biometric W* that is fairly close to W.
Definition 10: Taking # ǹ as the number of points on E p (δ 1 , δ 2 ), then in accordance with Hasse's theory, the inequality below holds: This means that there are p points on E p (δ 1 , δ 2 ) over Z p .Additionally, E p (δ 1 , δ 2 ) constitute commutative group in accordance with addition modulo p operation.
Definition 11: In accordance with the EC point addition, we take P and Q as two points on the EC E p (δ 1 , δ 2 ).Then Ǻ = (s Ǻ , y Ǻ ) = P + Q is derived as described below: where Definition 12: Based on the elliptic curve point multiplication (scalar multiplication), we let P 2 E p (δ 1 , δ 2 ).Then, 6P implies repeated additions such that 6P = P + P + P + P + P + P.

B. Threat model
The Dolev-Yao (DY) and Canetti-Krawczyk (CK) threat models are frequently utilized in the semantic evaluation of authentication schemes.Therefore, this paper adopts these two threat models, in which it is assumed that adversary Å: 1. Can forge, delete, reuse, change, insert, block and eavesdrop the messages exchanged across the insecure communication channels.
2. Has the potential and capability of physically accessing the smart grid components such as the smart meter and extract secret security tokens stored in its memory.This is facilitated using techniques such as side-channeling.
3. Upon obtaining the smart meter security parameters, Å can launch attacks such as spoofing, forgery, guessing, de-synchronization, KSSTI, replay, masquerading, man-in-the-middle and privileged insider.
4. Can capture session keys as well as their intermediary states.

C. Security requirements
To provide enhanced message protection in the smart grid environment, the following goals need to be fulfilled: 1. Anonymity: This property ensures that user and smart meter real identities cannot be discerned from any messages captured over the transmission channel.
2. Untraceability: An attacker who successfully intercepts the message exchange process between the smart meter and the smart grid server should not be in a position to associate any communication sessions to a specific user or smart meter.

Mutual Authentication:
All the communicating entities should verify each other's identity before they can commence message exchanges.

Session Key Negotiation:
After successfully validation procedures, the smart grid entities must agree on some shared key that they will utilize to protect the exchanged messages.

Attacks Resilience:
It should be cumbersome for the adversary to launch common smart grid attacks such privileged insider, spoofing, physical capture, smart card loss, forgery, replay, masquerading, de-synchronization, guessing, KSSTI, and man-in-the-middle attacks.

The proposed protocol
The proposed protocol involves three entities which include the Smart Meter (SM i ), User (U i ) and Smart Grid Server (SGS i ) as shown in Fig 1 .Here, the SM i collects energy consumption information from the consumers and forwards the same to the SGS i located at the utility control center.As illustrated in Fig 1, the communication channel between SM i and SGS i is the public internet.Depending on the received consumption reports from the SM i , decisions are made by the SGS i regarding energy adjustments.In this context, the U i refers to the system administrator located at the utility control center.Table 1 details the symbols used in this paper.
From the execution perspective, this scheme comprises of 7 phases: system initialization, smart meter registration, user registration, login, authentication, session negotiation, and finally password change.The sub-sections below discuss the details of each of these phases.

A. System initialization
In this scheme, the smart grid server SGS i is a trusted entity that bridges the communication between the smart meter SM i and user U i .During the initialization phases, the security tokens applicable during the subsequent registration, login, authentication and key establishment phases are derived.
Step 1: The SGS i selects elliptic curve additive group G over some finite field F p , where P is the generator, whose order is a large prime number N.
Step 2: The SGS i generates random nonce R 1 2 Z * N and sets it as its clandestine key.Next, the SGS i derives its corresponding public key P K = PR 1 .Next, the SGS i chooses SGS MK as its master key.The keys R 1 and SGS MK will be used later during the registration, login and authentication phases to derive ephemeral parameters.
Step 3: Security parameters R 1 and SGS MK are secretly kept by the SGS i in its database.Next, it publishes parameter set {P, E (F p ), P K , G}.All these security parameters are deployed by the network entities to compute intermediary tokens during the registration, login, authentication and key negotiation phases.

B. Smart meter registration
Before the deployment of the smart meters, they must generate and be assigned security parameters that they store in their memories.These parameters are then used during login phase and also to authenticate these smart meters to the smart grid network.To realize this, the two steps described below are executed.
Step 1: The smart grid server SGS i chooses value SMID i as the identity of smart meter SM i .Next, it derives SK S-SM = h (SMID i ||SGS MK ) as the secret key between SGS i and SM i as shown in Fig 2. Step 2: The SGS i composes registration message Reg 1 = {SMID i , SK S-SM } which is forwarded to the SM i for private buffering in its memory.Finally, smart meter SM i is deployed in particular premises.

C. User registration
In smart grids, the users may be interested in accessing the smart grid data deployed in some given premises.It is therefore important that all users be registered at the smart grid server SGS i as shown in Fig 2. This registration is important as the users are assigned parameters that they will deploy during the subsequent login, authentication and session key establishment phases.This phase is executed using the five steps described below.
Step 1: The user U i chooses some unique user identity UID i and strong password PW i .Next, the user U i generates random nonce R 2 that is used to derive parameter Step 2: The user imprints biometric Bio i on the reader device.Next, the user registration request Reg 2 = {UID i , A 1 , Bio i } is composed and transmitted over to the SGS i across secure communication channels.
Step 3: After getting registration request Reg 2 from U i , the SGS i selects some random codephrase RC i 2 CS for this particular user.Next, it derives F (RC i , Bio i ) = (ē, ū), where ē = h (RC i ) and ū = RC i � Bio i .
Step 4: The SGS i derives parameter Next, it composes registration response message Reg 3 = {U SC } that is sent to U i over secure channels.Finally, the SGS i buffers UID i in its database.
Step 5: On getting this smart card, the user appends R 2 into it.As such, the smart card now holds parameter set {ē, f (.), ū, A 2 , A 3 , P K , R 2 }.Algorithm 1 below summarizes the system initiation, user registration and smart meter registration processes.

D. Login, mutual authentication and session negotiation phase
The aim of this phase is to ensure that all users and smart meters accessing the smart grid server are legitimate entities and hence protect the network against attacks.In addition, the session key is derived which will be used to encipher the data exchanged among the users, smart meters and smart grid servers.To accomplish this, user biometric data Bio i *, password PW i , user identity UID i and smart card U SC are deployed.Here, the U SC buffers the security tokens that the user utilizes to derive ephemeral security parameters.This is an 8 step process as described below.Algorithm 2 gives the summary of the login, mutual authentication and session negotiation phase.
Step 1: The user the inserts U SC into its reader device before imprinting biometric Bio i *.Thereafter, the smart card computes Step 2: The smart card confirms whether h (RC i *) ≟ē = h (RC i ).Essentially, the session is aborted whenever this verification flops.This means that the user has to initiate another login attempt.Otherwise, this particular user has successfully passed the biometric authentication.
Step 3: The user inputs identity UID i and password PW i after which parameter is derived.This is followed by the checking of whether A 2 * ≟ A 2 such that the session is aborted when these two parameters are not equivalent.Consequently, the user must re-enters the correct values for UID i and PW i .Otherwise, the user's UID i and PW i have been successfully verified by the smart card.
Step 4: The U SC chooses some arbitrary nonce R 3 and parameter ñ 2 Z * N .Next, it computes security parameters  Step 5: On receiving login request Log Req , the SGS i computes parameters B 1 * = A 5 R 1 = ñPR 1 and UID i * = B 2 �B 1 *.Next, it confirms whether the derived identity UID i * is in its database such that the login request is rejected if it is not.When this happens, the SGS i must request the user to resend valid message Log Req .Otherwise, the SGS i computes It then checks whether B 5 * ≟ B 5 such that the session is aborted if these parameters are not identical.Once again, the SGS i prompts the user to re-forward valid message Log Req .Otherwise, the SGS i generates some arbitrary nonce R 4 that it deploys to re-compute secret key SK S-SM * = h Step 6: Upon getting hold of message, the SM i derives Step 8: Upon obtaining message Auth 3 , user Once again, the user has to prompt the SGS i for the correct authentication message Auth 3 .Otherwise, the user, smart meter and the smart grid server have successfully authenticated each other.In addition, these three entities share session key ɸ U = ɸ S = ɸ M .As such, the user can now access the smart meter data through the smart grid server.

Algorithm 2. Login, Mutual Authentication and Session Negotiation
In Algorithm 2, the expected outcomes or state changes in each step of Algorithm 2 are the various transient security parameters derived during the login, mutual authentication and session negotiation procedures.

E. Password change phase
This stage is triggered whenever the user password is compromised.It can also be triggered if the security policy advocates for periodic password change.The following 4 steps are executed during this phase.Algorithm 3 summarizes the password change phase.
Step 1: The user U i inserts U SC into its reader and imprints biometric data Bio i * on the special device.Afterwards, the smart card derives parameter RC i *and confirms whether h (RC i *) ≟ ē = h(RC i ).Here, the session is aborted if this verification flops.When this occurs, the user is prompted to re-enter correct values for the biometric data Bio i *.
Step 2: Provided that the validation in Step 1 is successful, the user has successfully passed the biometric confirmation process.Next, the U i inputs UID i and PW i upon which parameter A 2 * is derived.
Step 3: The U SC validates the derived parameter A 2 * against A 2 such that the password change request is turned down if these two parameters are disparate.At this juncture, the user is prompted to re-enter correct values for UID i and PW i .However if they are equivalent, the U SC permits U i to input new password PW i New .
Step 4: The U SC derives security parameters Algorithm 3 is basically a summary of the Password Change Phase and hence all the validations and changes occurring are captured in step 1 to step 4 of this phase.

Security analysis
In this section, the most outstanding security characteristics offered by our scheme are both formally and semantically analyzed as described below.

A. Formal security analysis
To show that strong mutual authentication and common session keys negotiation are carried out among the U i , SGS i and SM i , the Burrows-Abadi-Needham logic (BAN logic) is deployed.Table 2 presents the BAN logic notations deployed during this proof.
During the BAN logic analysis, the BAN logic rules in Table 3 are deployed.
For strong privacy and security enhancement in smart grids, the eight goals in Table 4 must be satisfied.
To proof the security goals in Table 4 above, the following initial state assumptions (ISA) are made.

Goal Description
G-1 To effectively execute the BAN logic proofs, the messages transmitted during the login, authentication and key negotiation phases are converted into idealized format as follows.
Log Req : Thereafter, using the above initial state assumptions, BAN logic rules and idealized messages, the above formulated security goals are proofed as follows.
Based on the idealized Log Req , SR is applied to yield BAN logic proof 1 (BP 1 ) Using the MMR and ISA 6 on BP 1 , we get BP 2 On the other hand, FPR, ISA 1 and NVR are used in BP 2 to yield BP 3 Based on BP 3 , ISA 6 , ISA 12 and JR, we obtain BP 4 Applying the SKR on BP 4 results in BP 5 and hence G-5 is achieved.
On the other hand, ISA 12 and NVR are utilized in BP 5 to obtain BP 6 effectively fulfilling G-6 However, applying SR to both idealized Auth 1 and Auth 3 results in BP 7 Using ISA 9 and the MMR on BP 7 yields BP 9 On the other hand, applying ISA 4 and the MMR on BP 8 results in BP 10 Based on FPR, NVR, ISA 2 , ISA 14 and BP 9 , we get BP 11 However, according to FPR, NVR, BP 10 , ISA 2 and ISA 11 , BP 12 is obtained According to JR, ISA 11 and BP 12 , we obtain BP 13 The application of the SKR on BP 13 results in BP 14 Therefore, G-1 is achieved.Based on BP 13 and ISA 14 , SKR is deployed to yield BP 15 As such, G-2 is realized.
Conversely, SKR is applied on BP 14 to yield BP 16 This effectively attains G-3.
Similarly, the application of SKR on BP 14 , ISA 5 and ISA 11 results in BP 17 This means that G-4 is realized.
Applying SR idealized to Auth 2 results in BP 18 Next, the MMR is utilized in ISA 7 and BP 18 to get BP 19 Based on ISA 3 and BP 19 , FPR and NVR are applied to get BP 20 This is followed by the application of JR to ISA 7 , ISA 13 and BP 20 to obtain BP 21 According to ISA 8 , the usage of SKR in BP 21 yields BP 22 effectively realizing G-7.
Finally, SKR is applied to ISA 13 , ISA 15 and BP 21 to get BP 23 This attains G-8.
The BAN logic proofs executed above confirms the attainment of mutual AKA procedures among the smart grid entities.In addition, it affirms the negotiation of session keys ɸ S = ɸ U = ɸ M between the U i and SM i with the help of the SGS i .

B. Informal security analysis
In this sub-section, our scheme is shown to be robust under all the assumptions of the Dolev-Yao (DY) and Canetti-Krawczyk (CK) threat models.To accomplish this, the following lemmas are devised and proofed.
Lemma 1: Privileged insider and masquerading attacks are prevented.

Proof:
The assumption made here is that highly privileged entities such as the smart grid server administrator is interested in obtaining the registration information for some particular users.Afterwards, an attempt is made to impersonate this particular user U i .During U i registration with the SGS i , registration request Reg 1 = {UID i , A 1 , Bio i } is transmitted.Suppose that adversary Å wants to recover user password PW i from A 1 , where A 1 = h (R 2 ||PW i ).However, PW i is encapsulated in random nonce R 2 before being one-way hashed.Mathematically, it is impossible to reverse the one-way hash function.As such, the recovery of PW i from A 1 is not possible.Therefore, masquerading and privileged insider attacks are thwarted.

Lemma 2: This protocol is robust against replay and de-synchronization attacks
Proof: In this protocol, random parameters R 3 , ñ, R 4 and R 5 are incoporated in the exchanged messages.For instance, message Log Req , Auth 1 , Auth 2 and Auth3 all incorporate random parameters.Here, Whereas R 3 and ñ are generated by the user U i , R 4 is generated at the SGS i .On the other hand, random nonce R 5 is generated at the SM i .These random parameters ensure the freshness of the exchanged messages during a given communication session.However, in most schemes replay attacks prevention involve timestamps.Unfortunately, attackers can easily mount de-synchronization attacks riding on the deployed timestamps.Since the proposed protocol is devoid of timestamps, de-synchronization attacks are not possible.
Lemma 3: Smart meter anonymity and untraceability are preserved.Proof: During the login and authentication phases, messages Log Req , Auth 1 , Auth 2 and Auth 3 are exchanged.Here, Clearly, none of these messages carry the plain-text smart meter identity SMID i *.Although parameter C 4 contain SMID i *, it is encapsulated in other security parameters before being enciphered using one-way hashing function h(.).Suppose that an attacker Å wants to recover SMID i * from Log Req .However, this requires knowledge of the SGS i secret key R 1 and master key SGS MK .The inclusion of random nonces in the exchanged messages ensures that these messages are dynamically changed after each communication session.As such, it is cumbersome for Å to trace diverse sessions initiated by particular smart meters.
Lemma 4: The entities mutually authenticate each other and negotiate session keys.Proof: In this scheme, the SGS i is a trusted entity and serves to bridge the communication between U i and SM i .The mutual authentication among these three communicating entities is both implicit and explicit.During the login procedures, U i constructs and transmits login request message Log Req = {A 5 , B 2 , B 3 , B 4 , B 5 } to the SGS i .Upon receiving this message, the SGS i utilizes R 1 to recover UID i * = B 2 �B 1 *.Here, B 1 * = A 5 R 1 , B 1 = ñP K = ñPR 1 and B 2 = UID i �B 1 .It then confirms if UID i * is in its database such that the login request is denied if it is not.To authenticate U i , the SGS i re-computes A 4 *, R 3 *, SMID i * and B 5 *.Here, This is followed by the confirmation of whether B 5 * ≟ B 5 such that the session is aborted if these parameters are dissimilar.On the other hand, upon receiving authentication message Auth Based on Lemma 3 and Lemma 5 adversary Å is unable to recover UID i and SMID i from the exchanged messages Auth 1 , Auth 2 and Auth 3 .Suppose that Å has access to the random nonces R 3 , R 4 and R 5 .The next objective is to derive the session keys using these nonces.However, devoid of the knowledge of user identity UID i and smart meter identity SMID i , this derivation flops.
Lemma 9: This scheme is robust against guessing attacks.Proof: The thwarting of invalid logins is critical for prevention of unnecessary computation and communication overheads.To this end, fuzzy commitment technique is deployed to validate the biometric information imprinted by U i .In the login phase, the user has to insert U SC into its reader and imprint biometric Bio i *on some special device.Afterwards, the smart card derives parameter To validate the imprinted Bio i *, it checks whether h (RC i *) ≟ ē = h (RC i ).It is only after successful biometric verification that U i can proceed to input UID i and PW i .Essentially, biometric, identity and password validation must be successful before U i can be allowed access to the smart grid systems.As such, it is difficult for the adversary Å to correctly guess all these three security parameters so as to gain access.
Lemma 10: This protocol can withstand MitM attacks Proof: The objective of adversary here is to intercept the transmitted messages, change them before forwarding them to the unsuspicious destination terminals.In the proposed protocol, 4 messages are exchanged during the login and AKA procedures.The four messages include .However, this requires correct guessing of the random nonces R 3 , ñ, R 4 and R 5 .In addition Å needs to have knowledge of user identity UID i , smart meter identity SMID i , secret key SK S-SM as well as session key ɸ M .Based on Lemma 3 and Lemma 5, UID i and SMID i cannot be eavesdropped by Å.By Lemma 2, nonces R 3 , ñ, R 4 and R 5 are stochastic and hence cannot be correctly derived by the adversary.On the other hand, Lemma 8 illustrates the difficulty of deriving session keys ɸ M , ɸ U and ɸ S .All these coupled with the challenges of obtaining secret key SK S-SM proofs that our protocol can withstand these attacks.
Lemma 11: This protocol is robust against physical capture attacks Proof: Suppose that an adversary Å has gained physical access to the smart meter SM i .The next goal is to retrieve the parameters stored in SM i so as to derive the session keyn ɸ M = h and random code-phrase RC i 2 CS.During the registration phase, parameter set {SMID i , SK S-SM } is privately stored in SM i 's memory.Although the attacker has access to SMID i and SK S-SM , it is computationally infeasible to simultaneously and correctly guess random nonces deployed in ɸ M .In addition, Å requires user password PW i .However, based on Lemma 1, the adversary is unable to obtain this password and hence this protocol is resilient against smart meter physical capture attacks.
Lemma 12: This scheme can withstand spoofing attacks Proof: The aim of the attacker here is to attempt to present security parameters belonging to other legitimate entities for the authentication process.During the login and AKA procedures, the SGS i authenticates U i by checking whether B 5 * ≟ B 5 .On the other hand, the SM i authenticates SGS i by confirming if C 4 * ≟ C 4 .Similarly, the SGS i validates SM i by checking if D 1 * ≟ D 1 .Finally, the U i authenticates SGS i through the confirmation of whether D 4 * ≟ D 4 .Here, It is evident that devoid of correct SMID i , UID i , SK S-SM *, ɸ M , ɸ U and random nonces, authentication using spoofed parameters will fail.

Performance evaluation
Computation, storage, supported security features and communication complexities are the most predominant parameters for appraising the performance of security schemes.As such, these four metrics are utilized in this section to appraise the developed scheme.

A. Computation complexity
In most of the authentication and key negotiation process, executions times for map to point hash (T MH ), symmetric encryption or decryption (T ED ), one-way hashing operations (T H ), Hash-based Message Authentication Code (T HMAC ), ECC point multiplications (T EM ), modular exponentiation (T E ), ECC point addition (T EA ), pseudo-random function (T PF ) and bilinear operation (T BP ) are considered.Using the values in [25,55,58], Table 5 gives the execution times of these cryptographic primitives.
In the process of executing login and AKA procedures, the U i carries out 2 ECC point multiplications (T EM ) and 8 one-way hashing operations (T H ). On the other hand, the SGS i carries out 1 T EM operation and 9 T H operations.However, the SM i executes only 4T H operations.As such, the execution time at the U i is 4.4704 ms while this value is 2.2467 ms at the SGS i .On the other hand, the computation complexity at the SM i is only 0.0092 ms.Therefore, the total computation cost is 6.7263 ms.However, considering only the SM i and SGS i residing on the utility control, the overall computation complexity is 2.2559 ms.Table 6 gives the comparison of the obtained computation cost against other state of the art protocols.
As illustrated in Fig 4, the scheme in [63] incurs the highest computation costs while the proposed protocol has the least computation overheads.Although the scheme in [56] has the second lowest computation complexity, it cannot provide authentication between two entities of the smart grid.
In addition, its design fails to consider forgery, smart card loss, guessing and de-synchronization attacks.Further, it cannot provide both user untraceability and anonymity.Based on the values in [58,71], SHA-1, ECC points, random nonce, identities and public or private keys are 160 bits, 320 bits, 160 bits, 64 bits and 160 bits respectively.As such, the length of Auth 1 , Auth 2 and Auth 3 are 640 bits, 320 bits and 480 bits respectively.Therefore, the cumulative bandwidth requirement is 1440 bits.The data of our experiments based on [72] data set.Table 7 presents the communication complexities comparisons with other schemes.As illustrated in Fig 5, the scheme developed in [63] incurs the highest communication overheads while the scheme in [53] requires the least.Conversely, our scheme incurs the fourth lowest communication costs after the schemes in [25,43,53] respectively.However, each of these security approaches has some setbacks that render them unsuitable for deployment in smart grid environment.For instance, the scheme in [53] does not consider replay,  privileged insider and masquerading and attacks in its design.On the other hand, the protocol in [25] cannot withstand ephemeral secret leakage and impersonation attacks.

B. Communication complexity
Similarly, the approach in [43] can support only one smart meter and hence has scalability issues.In addition, its architecture does not consider smart card loss, forgery, mutual authentication, guessing, de-synchronization, user untraceability and anonymity.

C. Space complexities
To derive the space complexity of our scheme, we consider the length of the parameters that have to be stored in the smart meter devices.During the registration phase, security parameter set {SMID i , SK S-SM } is privately stored in the memory of the SM i .Therefore, using the values in [58,71], the space complexity at the SM i and U i is 320 bits.Table 8 offers the space comparisons with other related protocols.
As illustrated in Fig 6, the scheme in [25], incurs the highest space complexity while the approach in [53] exhibits the lowest.Conversely, the proposed protocol requires the second lowest space overheads of only 320 bits.However, it has already been noted that the protocol in [53] does not consider replay, masquerading and privileged insider attacks in its design.Evidently, all the schemes that perform slightly better than the proposed protocol have numerous performance, security and performance challenges.For example, the protocol in [56] has the lowest computation complexity but relatively higher communication and storage overheads.On the other hand, the technique in [53] incurs the least storage and communication costs but has relatively higher computation costs.

D. Security features
To effectively appraise the developed protocol, its security goals and features are compared with those ones offered by other related state of the art protocols.Table 9 gives a summary of this comparison.It is evident from Table 9 that only our protocol that provides all the thirteen security characteristics.This is followed by the scheme in [54] which offers only 8 features.
Next are the protocols in [25,37,56,61,62] which provide only 7 features each.The schemes in [43,57] follow with 6 features each, while the approaches in [53,63] offer only 3 features each.Therefore, although our scheme incurs slightly higher storage and communication costs, it is the most secure.Conversely, the scheme in [53] exhibits least communication and storage costs but is the most insecure among all the protocols.Consequently, the proposed protocol offers the best trade-off between performance and security.Therefore, it is the most ideal for deployment in high sensitive and resource-limited smart grid environment.

Conclusion
The smart grids offer efficiency in the management of demand responses in power systems.However, the exchange of consumption data over the open public channels implies that these messages are susceptible to a myriad of privacy and security violations.As such, previous researches have seen the introduction of numerous smart grid protection schemes.Unfortunately, many vulnerabilities have been discovered in these protocols that can be exploited to compromise smart grids.In addition, some of the current security solutions incur extensive storage, communication and computation complexities that limit their deployment in resource-constrained smart grid devices.To remedy some of these challenges, an efficient and provably secure protocol is introduced in this paper.The semantic security analysis has demonstrated its robustness under all the assumptions in the Dolev-Yao and Canetti-Krawczyk threat models.In addition, formal security analysis using the BAN logic has shown the attainment of strong mutual authentication and establishment of session keys among the smart grid entities.In terms of performance, it is shown to incur the lowest execution time, and relatively lower communication and space complexities compared with other related protocols.It is therefore applicable in resource-constrained smart grid environment where sensitive and private messages are exchanged.Future work in this domain will involve the analysis of this scheme using additional metrics that were not incorporated in the current work.

Algorithm 1. System Initiation, User and Smart Meter Registration Begin
# ***System Initialization*** Choose G over F p and generate random nonce R 1 as private key Derive corresponding public key as P K and master key as SGS MK Secretly keep R 1 and SGS MK at SGS i and publish parameter set {P, E (F p ), P K , G} #****Smart Meter Registration*** Choose SMID i as smart meter SM i 's identity Set SK S-SM as secret key between smart grid server SGS i and smart meter SM i Privately store parameter set {SMID i , SK S-SM }in smart meter SM i 's memory Deploy SM i in its application domain #***User Registration*** Select user identity and password as UID i and PW i respectively Generate random nonce R 2 and derive A 1 Imprint user biometric Bio i into the reader, compose registration message Reg 1 then forward it to SGS i Select random code-phrase RC i then derive values F (RC i , Bio i ), A 2 and A 3 Store values {ē, f (.), ū, A 2 , A 3 , P K } in smart card U SC Construct registration message Reg 2 then forward it to user U i Buffer user identity UID i in smart grid server SGS i 's database Append random nonce R 2 to smart card U SC End UID i , PW i have passed verification Select R 3 , ñ and derive A 4 , A 5 , B 1 , B 2 , B 3 , B 4 & B 5 Construct Log Req and forward it to SGS i Derive B 1 *and UID i * IF UID i * is not in database THEN: compute A 4 *, R 3 *, SMID i * and B 5 * IF B 5 * != B 5 THEN: Abort session ELSE: Generate R 4 and derive SK S-SM *, C 1 , C 2 , C 3 and C 4 Compose Auth 1 and forward it to SM i Derive UID i **, R 4 *, R 3 ** and C 4 * IF C 4 * != C 4 THEN: Terminate session ELSE: Generate R 5 and compute C 5 , ɸ M & D 1 Compose Auth 2 and forward it to SGS i Derive R 5 *, ɸ S & D 1 * IF D 1 * != D 1 THEN: End session ELSE: Compute D 2 , D 3 & D 4 Construct Auth 3 and forward it to U i Derive R 4 **, R 5 **, ɸ U and D 4 * IF D 4 * != D 4 THEN: